Google Introduces ‘Air-Gapped’ Backup Vault to Thwart Ransomware

Google has fitted a new backup storage vault feature into its flagship cloud service to help organizations protect backed-up data from crippling ransomware attacks.

The new feature is promising immutable (preventing modification) and indelible (preventing deletion) backups, securing data backups against tampering and unauthorized deletion

The new utility, being added to the Google Cloud Backup and Disaster Recovery (DR) service, is meant to combat ransomware attacks that target backed-up data during encryption and extortion cyberattacks.

“Backups often represent the last resort for recovery when production data becomes unavailable or untrusted,” Google said in a note describing the feature. “It’s critical to not only back up your critical workloads, but also to secure those backups against subsequent modification and deletion. Backup vault provides secure storage for backups.”

The company said backup vault data is stored in a Google-managed project and is logically air-gapped from an organization’s self-managed Google Cloud project.

“The underlying backup vault resources are not visible or accessible to users in your organization, which prevents direct attacks against those resources,” Google said.

“When creating a backup vault, you can specify that vaulted backups must be strongly secured against modification and deletion until the administrator-specified minimum enforced retention timeframe has elapsed. This layered protection enables you to deliver on backup immutability (security against data modification) and indelibility (security against data deletion) objectives, which are often driven by security initiatives or by regulatory compliance requirements,” Google added.

The company touted reliable and flexible recovery of data via vaulted backups that are self-contained and enable recovery even when the source resource is no longer available.

“Backup vaults can be created in a project that differs from the source project (e.g., the project where a protected Compute Engine VM is running), thus ensuring that backups remain accessible even if the source project or resource is no longer present. As a result, you can configure your backup policy to provide strong resilience against source project deletion,” the cloud provider said.

The new utility also supports immediate recovery of production applications to pre-existing or newly-created projects, including recovery into projects configured as isolated recovery environments (IREs) for pre-recovery testing/forensics in the aftermath of a ransomware attack.

The backup vault feature supports protection for Compute Engine VMs, VMware Engine VMs, Oracle databases, and SQL Server databases.

Courtesy of Ryan Naraine, Security Week